R.E.S.P.E.C.T.: The way for CISOs to get and keep it

If you've got a "C" at the beginning of your professional title, you're at the top, or pretty close to it.

That, at least, is the perception of most people below the "C-suite" in an organization.

But, there is a hierarchy in the C-suite as well, and the Chief Information Security Officer (CISO) tends to be stuck at the low end of it, both in influence and respect.

That's the finding of a survey by ThreatTrack Security, reported in a white paper titled, "No Respect: Chief Information Security Officers Misunderstood and Underappreciated by Their C-Level Peers."

More specifically, the survey of 203 C-level executives at U.S. organizations employing a CISO found that a large majority (74%) thought CISOs didn't even deserve a seat at the C-level table and viewed them primarily as, "a convenient scapegoat in the event of a data breach."

Given the enormous importance of a CISO's job -- to protect the corporate "jewels" from theft or exposure -- why is the position what some sardonically call "the Rodney Dangerfield" of the C-suite?

In casual terms, it seems to come down mainly to this: Being a geek isn't enough.

The majority of executives surveyed believed their CISOs' skillsets were too narrow for them to succeed as leaders outside of infosec.

Or, as ThreatTrack President John Lyons put it, "the corporate C-suite is a very competitive place. This finding underscores that many C-level peers view CISOs as one-dimensional -- the 'security guy' only."

It has actually been worse than that for some time -- a CISO and his or her team have for years been frequently viewed not only as "just security people," but as an impediment to the effective functioning of a business, when they seek to impose security restrictions on workers.

A frequent complaint about CISOs is that they don't know how to, "speak the language of business."

And according to Lyons, that leads to a lack of respect. "Trying to enforce rigid security mandates and policies that others view as barriers to progress and productivity no longer works in today's fast-paced, technology-driven corporate environments," he said.

In short, to gain respect in the C-suite, CISOs have to work to be viewed as business enablers, not impediments.

"To be respected, CISOs must demonstrate their ability to view business problems from different and multiple lenses," said Gus Anagnos, vice president of strategy and operations at Synack. "Security decisions can, and in most cases do, have a broad impact on a company."

He agreed that CISOs have to overcome the perception that they are introverted technocrats and little else. If they can't discuss much outside of IT issues, "executive peers can interpret this as an inability to see and understand the big picture, leading them to conclude that CISOs are ill-equipped leaders," Anagnos said.

That is the way Jason Clark, CISO at Accuvant, sees it as well. "To gain respect, the CISO needs to be a business-savvy executive who needs mentoring from either the CEO or CIO, or from another top CISO," he said.

Dave Frymier, CISO at Unisys, agreed. "Any security -- military, protecting the Pope, information security -- is a balance between risk and usability," he said. "Unless CISOs understand at least something about organizational objectives and business needs, they won't be able to make, or explain, that tradeoff in a meaningful way."

Chris Wysopal, cofounder, CTO and CISO of Veracode, has a similar message. He said CISOs should, "focus their attention on ideas that truly add to top-line business value. Understanding how to position security as an enabler for winning, serving and retaining business for the enterprise is essential," he said.

He added that part of the problem is that the CISO role, "is relatively new and currently being defined compared to the more established C-level executive roles. What CISOs are discovering is that their security skillset is only part of what is needed for longevity."

Indeed, mega-retailer Target didn't even have a CISO at the time of its catastrophic security breach in December 2013, which compromised up to 110 million customer credit and debit cards and led to the "resignations" of the CEO and CIO. The company finally hired a CISO in June 2014.

That suggests that the CEO and others higher up the executive food chain may not understand the role of the CISO as well as they do other C-level positions that have existed for decades.

Clark said the chance of friction at the C-level is greater not just because the CISO is a relatively new role, but also because it is that of a change agent, "because the threats and the way risk is addressed is evolving. This is why it's important for them to be consulted, engaged and an ongoing part of the business."

And Frymier contends that another reason for that lack of understanding is because most CISOs are not structurally part of the C-suite anyway. "In many -- if not most -- organizations, the CISO reports to the CIO who reports to the CFO or COO, who reports to the CEO," he said. "This person is thus at least two levels removed from the C-suite."

Whatever the structure, those in the field agree that it is mostly up to the CISO to explain that role and how it can enable both the effectiveness and security of the organization.

"CISOs need to learn new skillsets, understand the greater business dynamics that drive the enterprise and be able to communicate effectively to other C-level executives," Wysopal said. "It's about being recognized as a strategic asset to the company."

Anagnos said he believes most CEOs take security seriously, but need to have questions like: "What is the risk?" "What is our current security posture?" and "What to do?" explained and answered clearly by a CISO.

And then there is the "convenient scapegoat" perception. While it is clearly a pejorative term, it seems reasonable to ask why the chief of security shouldn't be held accountable for security breaches. Isn't that what the job involves?

It's a bit more nuanced than that, according to Lyons, who noted that the ThreatTrack survey found that a significant percentage of executives believed CISOs should be held responsible for security breaches, but, "should have limited say in acquiring the technology and resources to prevent them."

In other words, hold them responsible, but don't give them control. "That mentality demonstrates that many in the C-Suite still do not understand the role of CISOs and the value they can bring to the table," Lyons said.

He agrees that, "CISOs should be accountable for their policies and performance. However, it is important to keep in mind that a data breach in and of itself -- with today's rapidly evolving threats -- is not necessarily evidence of negligence or faulty strategy," he said.

Wysopal said in some cases, the CISO should go, if there are, "overall failures of a program."

But he and others note that, "like any critical business function, a security program is made up from a blend of people, process and technology, all of which need to operate together while evolving to keep pace with an ever-changing threat landscape."

Ultimately, for a CISO to get, and maintain, respect will take what Frymier calls a "two-way street" of communication. The CISO will need to make the business case for security measures, but CEOs need to create a climate of respect for security throughout the organization.

Too frequently, he said, "organizations create a CISO position to 'check the box' that they have one. If the funding isn't there to create a real information security program and an adverse event happens, it's easy to take the symbolic gesture of firing the CISO because he's just a lone person."

That is why, Clark said, it is crucial for a CISOs to build a relationship with the entire executive team -- especially if it is during a time of transition.

"The perfect model of a CISO who has survived and thrived is one who focuses on the relationship first," he said.

"The most successful enterprise-level CISOs are not just entrenched in technology and operations. They are savvy executives who know how to build relationships with other C-level executives and get things done. From there, the respect usually follows."

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.